Spring Sale! Save 30% on all books w/ code: PLANET24
Web Dev + WordPress + Security

2014 Micro Blacklist

[ 2014 Micro Blacklist ] Over the past several months, I’ve assembled a “micro” blacklist to keep some recent threats at bay. Eventually, this will be integrated into the next nG Blacklist, but for now I just wanted to post and share with anyone else who is actively monitoring their server logs and aware of the recent spike in malicious activity.

The 2014 Micro Blacklist blocks some particularly persistent user agents and hosts, as well as a handful of resource-wasting IP addresses that just won’t stop scanning and sniffing around where they don’t belong. Lastly, there a couple of lines for blocking some relentless 404 requests.

2014 Micro Blacklist

To implement this blacklist, just copy/paste into the root .htaccess file of your website. If the .htaccess file doesn’t exist, check that you’re on an Apache server (and that .htaccess is enabled), and then go ahead and create one. Check out my .htaccess book if you need help with anything .htaccess related, and/or to learn WAY more about securing your site.

# 2014 Micro Blacklist
<IfModule mod_setenvif.c>
	Order Allow,Deny
	Allow from all
	Deny from 123.151.39.
	Deny from 77.172.210.
	Deny from 174.94.131.
	Deny from 89.238.137.59
	Deny from 212.90.148.101
	Deny from 91.207.61.129
	Deny from 202.46.52.120
	Deny from 128.73.60.194
	Deny from 68.108.17.141
	Deny from 27.54.93.178
	Deny from 194.9.94.213
	Deny from 122.166.169.127
	Deny from 96.9.163.49
	Deny from 54.229.73.40
	Deny from 203.109.158.201
	Deny from 46.105.113.8
	Deny from 183.60.244.
	Deny from 54.232.102.193
	Deny from 195.157.124.186
	Deny from 118.39.113.219
	Deny from 27.255.56.87
	Deny from 69.161.138.1
	Deny from 192.96.204.42
	Deny from 178.63.52.200
	Deny from 27.252.92.103
	Deny from 37.59.65.58
	Deny from 186.202.126.94
	Deny from 186.213.72.146
	Deny from 186.219.44.6
</IfModule>
<IfModule mod_rewrite.c>
	RewriteCond %{HTTP_HOST} (.*)\.crimea\.com [NC,OR]
	RewriteCond %{HTTP_HOST} s368\.loopia\.se [NC,OR]
	RewriteCond %{HTTP_HOST} kanagawa\.ocn [NC,OR]
	RewriteCond %{HTTP_HOST} g00g1e [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} (ia_archiver|g00g1e|seekerspider|siclab|spam|sqlmap) [NC]
	RewriteRule .* - [F,L]
</IfModule>
<IfModule mod_alias.c>
	RedirectMatch 403 router\.php
	RedirectMatch 403 /\)\.html\(
</IfModule>
<IfModule mod_rewrite.c>
	RewriteCond %{QUERY_STRING} http\:\/\/www\.google\.com\/humans\.txt\? [NC]
	RewriteRule .* - [F,L]
</IfModule>

Notes: ia_archiver was a tough call — they do some legit stuff, but lots of illicit/malicious requests are made claiming that UA or some derivitive thereof.. so it’s your call on that, feel free to remove it if the wayback machine is important to you or whatever.

About the IPs, normally I don’t bother blocking individual IPs because they are frequently spoofed and/or changing constantly. When it looks like an IP is directly tied to the perpetrator, blocking by IP can be an effective remedy for the endless scanning and malicious HTTP requests that ail you.

Update: Added a rule to protect against humans.txt scanning. If your site uses humans.txt, remove the last <IfModule> block from the Micro Blacklist.

Lastly, this “micro” blacklist serves as a good starting point for building up your own mini-firewall that’s tuned to your particular server and traffic profile.

Have fun and keep those sites secure people.

About the Author
Jeff Starr = Fullstack Developer. Book Author. Teacher. Human Being.
SAC Pro: Unlimited chats.

5 responses to “2014 Micro Blacklist”

  1. I see this line in the blacklist:
    RewriteCond %{HTTP_HOST} s368\.loopia\.se [NC,OR]

    Does this mean the large Swedish ISP loopia.se is involved/used in the majority of the attacks?

    • Jeff Starr 2014/02/11 4:43 am

      Nope. It means that the log files showed consistent, predictable patterns of malicious behavior with requests reporting that particular host. Feel free to remove the line if desired or if you aren’t seeing any matches in your own server logs.

  2. Thanks for this. Shall check my server logs and apply.

  3. Joshua Wilson 2014/02/25 3:31 am

    Cam this be used in the apache config for global use?

    • Jeff Starr 2014/02/25 1:36 pm

      Yes it cam, but it may require some slight changes to the syntax to work from the config file.

Comments are closed for this post. Something to add? Let me know.
Welcome
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
GA Pro: Add Google Analytics to WordPress like a pro.
Thoughts
I live right next door to the absolute loudest car in town. And the owner loves to drive it.
8G Firewall now out of beta testing, ready for use on production sites.
It's all about that ad revenue baby.
Note to self: encrypting 500 GB of data on my iMac takes around 8 hours.
Getting back into things after a bit of a break. Currently 7° F outside. Chillz.
2024 is going to make 2020 look like a vacation. Prepare accordingly.
First snow of the year :)
Newsletter
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.